This is part two of my conversation with Kevin Mitnick. Part one can be found here.

A Hacker's Point of View

Kevin Mitnick: The hacker mindset doesn't actually see what happens on the other side, to the victim. As a hacker you think "Well, they were kind of naive, they picked easy passwords, I got in, I installed an SSHD Trojan, and when they figure it out all they've got to do is fix the Trojan and change a couple of passwords, so what's that going to take - ten minutes?"

That's how a hacker thinks, but on the other side, now that I work as a security specialist, it's more like "Oh my God! Who is this? What are they trying to do? We have to reload everything, we have to check every system on the network for integrity issues." Now it's a question of integrity — can we really trust our information? So now you're seeing man hours build into tens of thousands of dollars worth of loss in time and productivity. As a hacker you don't think about that.

There's also a question of ethics. As a young boy, I was taught in high school that hacking was cool. My first program was supposed to be written in basic and was supposed to find the first thousand Fibonacci numbers, but I decided I was going to write a program that was a log-in simulator so that when the teacher would go up to the computer and sign us in, it would snarf his password and log him in.

He would never know. Then I would tell him his password all the time. It was like a cat and mouse game with the teacher. When he finally figured it out and I told him about the program — I also told him that I didn't have enough time to do his assignment — he still gave me an "A".

Today, I'd be expelled, hauled off by the police, and my Mom would be picking me up from the police. Back in the seventies it was more like "this guy's smart, he's gifted, he's a whiz-kid," and I was actually patted on the back for this type of conduct. So the ethic I was taught in school resulted in the path I chose in my life following school.

Q: Do you think either approach is right? The seventies' approach or today's approach?

KM: I think equating hacking with a sort of cyber-terrorism is a bit of overkill, for example there's a new law that says that if you use a computer and cause serious bodily injury or death to a victim you get life without the possibility of parole — because there's no parole in the Federal system — but if you take a hammer or a motorcycle and you kill someone or seriously injure them it's not nearly as punitive. So, why? If the computer is the tool, why is the punishment so harsh? We should punish the person based on the harm they caused, not on the tool they used.

Q: Except that Joe on the street understands a hammer but he doesn't understand the computer, right?

KM: Right. So he's that much more scared of it.

Q: Isn't that one of the problems with legislators getting involved and trying to mandate defenses, because they don't understand the problem?

KM: Well, I'll give you an example. I went to Capitol Hill to testify about identity theft. So these older, people — much senior to me — decided that one of the biggest ways they were going to combat theft is that when you go to a restaurant they were going to make it mandatory that they don't print the whole credit card number on the receipt, so nobody could fish it out of the dumpster. So I'm thinking they're going about this all wrong.

They've got to start thinking like the bad guys. All they need to do is to set up some website somewhere selling some bogus product at twenty percent of the normal market prices and people are going to be tricked into providing their credit card numbers. So what you have to do is think about authenticating credit card transactions more than thinking about obfuscating the credit card number. They just didn't get it. They just don't understand the problem, so they're never going to come up with the solution.

Q: Which is the bigger threat, social engineering or specific technologies?

KM: Both! If the truth be known, you actually use a combination to compromise any type of security controls, where there is the least risk and it's the least costly. For example, Motorola; let's say I wanted to get a copy of the source code for Digital Voice Privacy because I wanted to eavesdrop on the FBI and they use DVP Astro Motorola radios. And I think maybe they made a programming error so the crypto they implemented in this product might not be sound and I could eavesdrop on Federal Agents and that would be fun, right?

So you find a vulnerability into one of Motorola's gateways into their network through a technical flaw. So once there, the hacker wants to know "where is the DVP source code?" So what's the quickest way of finding out? Social engineering, right? So he calls the department and finds out who's working on that project, and that's a lot faster than trying to scour every machine on Motorola's campus. It's a blended attack.